Network security as a service using virtual secure channels

ABSTRACT

Disclosed are methods, devices, and systems to provide an end-to-end secure transaction over a network. In one embodiment, a machine-implemented method comprises opening an in-band channel or an out-of-band channel over the network; authenticating, through the control plane of a switch managing the network, a user of a resource over the in-band channel or the out-of-band channel; authorizing the user, through the control plane, access to the resource over the in-band channel or the out-of-band channel; and accounting for a transaction conducted by the user accessing the resource, through the control plane, over the in-band channel or the out-of-band channel. In another embodiment, a switch to manage the network and to implement the method described herein is disclosed.

CLAIM OF PRIORITY

This application is a non-provisional application claiming priority toco-pending U.S. non-provisional patent application Ser. No. 13/748,517titled: “NETWORK SECURITY AS A SERVICE USING VIRTUAL SECURE CHANNELS,”filed on Jan. 23, 2013, which claimed priority to U.S. provisionalpatent application Ser. No. 61/748,049 titled: “NETWORK SECURITY AS ASERVICE USING VIRTUAL SECURE CHANNELS,” filed on Dec. 31, 2012.

INCORPORATION BY REFERENCE

This application incorporates by reference U.S. patent application Ser.No. 13/726,491 titled: “METADATA-DRIVEN SWITCH NETWORK CONTROL,” filedon Dec. 24, 2012, in its entirety.

FIELD OF TECHNOLOGY

This disclosure relates generally to network security technology, in oneexample embodiment, to methods and devices to provide network securityto a user of a software defined network (SDN).

BACKGROUND

Demand for a more secure network switching infrastructure has increasedwith the proliferation of mobile and/or untethered computing devices(such as supervisory control and data access (SCADA) systems, industrialcontrol systems, transportation systems, smartphones, tablet computers,set-top boxes, and hotspot devices). Applications and web browsersrunning on such devices and over such an infrastructure may besusceptible to attacks by malicious agents at a resource level, or at aresource flow level (such as eavesdropping, key loggers, worms, viruses,Trojan horses, or spoofing attacks). While security experts havedeveloped increasingly complex means of securing traffic flow (such asnetworking protocols, encryption tunnels, and key generation andauthentication systems), the challenge remains to secure a transactionfrom its origination on a client device to its destination behind aswitch, while providing a means for non-repudiation.

The field of network security also shares the common goals ofconfidentiality, integrity, and availability. Confidentiality in networksecurity solutions may be compromised in systems that administer andtransfer keys. These systems may rely on physical access to acertification authority, a connection that may not be supported ormaintained by mobile clients using a wide area network (WAN).Furthermore, in systems implementing a network layer socket managementservice, malware may install itself at the operating system, network,transport, or application layer and redirect traffic to maliciousservers.

In addition, network security switches and routers may adopt a blacklistapproach to prevent malicious agents from connecting to a network andcompromising the security of the network. However, a blacklist mayimplement a draconian set of rules or regular expressions to locate andfilter out malicious traffic. To circumvent this, a malicious agent maysimply change a single bit to evade the most sophisticated trafficmanagement and malware detection system.

SUMMARY

Disclosed are methods, devices, and systems to provide an end-to-endsecure transaction over a software defined network (SDN). In one aspect,a machine-implemented method includes: opening an in-band virtual securechannel (VSC) or an out-of-band VSC over the SDN; authenticating,through the control plane of a switch managing the SDN, a user of aresource over the in-band VSC or the out-of-band VSC; authorizing theuser, through the control plane, access to the resource over the in-bandVSC or the out-of-band VSC; and accounting for a transaction conductedby the user accessing the resource, through the control plane, over thein-band VSC or the out-of-band VSC.

The in-band VSC or the out-of-band VSC may be opened at a resourcelevel, a resource flow level, or a network level using a user identity,a client device identity, and/or a resource identity distributed througha public key infrastructure (PKI). The method may also involve receivinga configuration data from a client device of the user, through a nearfield communication (NFC) chip embedded in the switch, and issuing ahealth data of the switch to the client device through the NFC chip. Themethod may further involve authenticating the user of the resource bycomparing a user identity against a stored identity in an authenticationdatabase of the control plane of the switch. In this case, the useridentity may be received through the in-band VSC or the out-of-band VSC.

At a resource level, all traffic for a specific resource or applicationmay be encapsulated in a single VSC irrespective of the number of uniqueflows generated for that resource. At a resource flow level, all trafficfrom a specific user, device, or resource may be encapsulated inmultiple VSCs according to the unique flow of traffic. At a networklevel, traffic may be encapsulated according to specific source anddestination network addresses without regard to the resource or theflows.

The method may include authorizing the user's access to the resource by:generating, through the control plane, a one-time encrypted softwaretoken (EST) for the user based on a key agreement technique and a useridentity, a client device identity, and/or a resource identity; storingthe one-time EST generated in a key management database of the controlplane; analyzing and comparing, through a hash comparison engine of thecontrol plane, a hash of an independently generated EST received fromthe user against the one-time EST stored in the key management database;and granting the user access to the resource through the in-band VSC orthe out-of-band VSC based on a result of the comparison.

The method may additionally involve accounting for a transactionconducted by the user accessing the resource in near real-time bystoring a historical and a near real-time information related to theuser, a client device used by the user, the resource, the transaction,the in-band VSC, and/or the out-of-band VSC in an accounting database ofthe control plane. The transaction conducted by the user may also beaccounted for by: performing, through a data plane of the switchmanaging the SDN, a deep-packet-inspection (DPI) of a data packettransmitted through the in-band VSC or the out-of-band VSC and filteringout, through the data plane of the switch managing the SDN, a datapacket not transmitted through the in-band VSC or the out-of-band VSC.

The transaction conducted by the user may further be accounted for by:identifying, through a data plane of the switch managing the SDN, a truesource and a destination of a malicious data packet transmitted throughthe in-band VSC or the out-of-band VSC and redirecting and duplicating,through the data plane of the switch managing the SDN, in near-realtime, the malicious data packet for further analysis. The method mayalso involve accounting for the transaction conducted by the user bychecking, through a data plane of the switch managing the SDN, anapplication on the client device of the user against a verified versionof the application presented in a third-party application andapplication reputation store through the in-band VSC or the out-of-bandVSC and checking, through the data plane of the switch, an operatingsystem and an operating system kernel on the client device of the useragainst a verified version of the operating system and the operatingsystem kernel through the in-band VSC or the out-of-band VSC.

Finally, the transaction conducted by the user may be accounted for byissuing, through a data plane of the switch managing the SDN, an updatefor the application, the operating system, and/or the operating systemkernel through the in-band VSC or the out-of-band VSC.

In another aspect, a switch to manage a software defined network (SDN)comprises one or more off load engines, one or more host processors, andone or more co-processors embedded in the switch; one or more near fieldcommunication (NFC) chips communicatively coupled to the one or morehost processors; one or more storage devices communicatively coupled tothe one or more off load engines and co-processors; and one or moreprograms. The one or more programs are stored in the one or more storagedevices and are executable by the one or more off load engines andco-processors.

In addition, the one or more programs comprise instructions to open anin-band VSC or an out-of-band VSC over the SDN; instructions toauthenticate, through the control plane of the switch, a user of aresource over the in-band VSC or the out-of-band VSC; instructions toauthorize the user, through the control plane, access to the resourceover the in-band VSC or the out-of-band VSC; and instructions toaccount, for a transaction conducted by the user accessing the resource,through the control plane, over the in-band VSC or the out-of-band VSC.The in-band VSC or the out-of-band VSC may be opened at one of aresource level, a resource flow level, or a network level using a useridentity, a client device identity, and/or a resource identitydistributed through a public key infrastructure.

The one or more programs may also comprise instructions to receive aconfiguration data from a client device of the user, through an NFC chipembedded in the switch, and issue a health data of the switch to theclient device through the NFC chip. One of the storage devices may alsocomprise instructions to authenticate the user of the resource bycomparing a user identity against a stored identity in an authenticationdatabase of the control plane. The user identity may be received throughthe in-band VSC or the out-of-band VSC.

The one or more programs may also comprise instructions to authorize theuser's access to the resource with further instructions to: generate,through the control plane, a one-time EST for the user based on a keyagreement technique and a user identity, a client device identity,and/or a resource identity; store the one-time EST generated in a keymanagement database of the control plane; analyze and compare, through ahash comparison engine of the control plane, a hash of an independentlygenerated EST received from the user against the one-time EST stored inthe key management database; and grant the user access to the resourcethrough the in-band VSC or the out-of-band VSC based on a result of thecomparison.

In addition, the one or more programs may comprise instructions toaccount for a transaction conducted by the user accessing the resourcein near real-time by storing a historical and a near real-timeinformation related to the user, a client device used by the user, theresource, the transaction, the in-band VSC, and/or the out-of-band VSCin an accounting database of the control plane. The instructions toaccount for a transaction conducted by the user may comprise furtherinstructions to: perform, through a data plane of the switch, adeep-packet-inspection (DPI) of a data packet transmitted through thein-band VSC or the out-of-band VSC and filter out, through the dataplane of the switch, a data packet not transmitted through the in-bandVSC or the out-of-band VSC. Further instructions to account for atransaction conducted by the user may include instructions to: identify,through a data plane of the switch, a true source and a destination of amalicious data packet transmitted through the in-band VSC or theout-of-band VSC, and redirect and duplicate, through the data plane ofthe switch, in near-real time the malicious data packet for furtheranalysis. This allows for a near real time security incident handlingprocess to be initiated while an attack is in progress.

The one or more programs may also comprise instructions to account for atransaction conducted by the user with further instructions to check,through a data plane of the switch, an application on the client deviceof the user against a verified version of the application presented in athird-party application and application reputation store through thein-band VSC or the out-of-band VSC. Moreover, the one or more programsmay comprise instructions to check, through a data plane of the switch,an operating system and an operating system kernel on the client deviceof the user against a verified version of the operating system and theoperating system kernel through the in-band VSC or the out-of-band VSCand issue, through a data plane of the switch, an update for theapplication, the operating system, and/or the operating system kernelthrough the in-band VSC or the out-of-band VSC.

The methods and systems disclosed herein may be implemented in any meansfor achieving various aspects. Other features will be apparent from theaccompanying drawings and from the detailed description that follows.

BRIEF DESCRIPTION OF THE DRAWINGS

Example embodiments are illustrated by way of example and are notlimited to the figures of the accompanying drawings, in which, likereferences indicate similar elements.

FIG. 1 illustrates a switch to manage a SDN, according to one or moreembodiments.

FIG. 2 illustrates the switch of FIG. 1 opening one or more in-band orout-of-band VSCs over the SDN, according to one or more embodiments.

FIG. 3 illustrates a columnar process flow diagram of a user gainingaccess to a resource through the switch of FIG. 1, according to one ormore embodiments.

FIG. 4 illustrates a flowchart diagram of authenticating a user throughthe switch of FIG. 1, according to one or more embodiments.

FIG. 5 illustrates an authorization of the user through the switch ofFIG. 1, according to one or more embodiments.

FIG. 6 illustrates an accounting database of the switch of FIG. 1,according to one or more embodiments.

FIG. 7 illustrates operations performed by a control plane and a dataplane of the switch of FIG. 1, according to one or more embodiments.

FIG. 8 illustrates verification checks and updates being transmittedthrough the data plane of the switch of FIG. 1, according to one or moreembodiments.

FIG. 9 illustrates the switch of FIG. 1 separating traffic in amultitenant network, according to one or more embodiments.

Other features of the present embodiments will be apparent from theaccompanying drawings and from the detailed description that follows.

DETAILED DESCRIPTION

Disclosed are methods and devices to provide an end-to-end securetransaction over a software defined network (SDN). Although the presentembodiments have been described with reference to specific exampleembodiments, it will be evident that various modifications and changesmay be made to these embodiments without departing from the broaderspirit and scope of the various embodiments. It should be understood byone of ordinary skill in the art that the terms “application(s),”“program(s),” “software,” “software code,” “sub-program(s),”“module(s),” and “block(s)” are industry terms that refer to computinginstructions stored in a memory or storage device of a processing deviceand executable by a processor of the processing device.

Reference is now made to FIG. 1, which illustrates a block diagram of aswitch 100 used to control or manage a SDN 118. In one or moreembodiments, the switch 100 comprises one or more off load engines (forexample, off load engines 102A and 102B) coupled to one or moreco-processors (for example, co-processors 108A and 108B). In one or moreembodiments, an off load engine, such as off load engine 102A, may be aserver grade processor (e.g., a processor comprising at least 8 coresand operating at a minimum clock speed of 1.8 gigahertz (GHz)). In oneembodiment, off load engines 102A and 102B may be cryptographic and deeppacket inspection (DPI) off load engines. The co-processors (forexample, co-processors 108A and 108B) may be additional off load engines(or a processor with equivalent processing power) and may take onprocessing duties when the primary off load engines (for example, offload engines 102A and 102B) are overloaded. It should be understood byone of ordinary skill in the art that the terms off load engine andco-processors are industry terms that refer to computing processors in aphysical network switch.

In the example embodiment shown in FIG. 1, the switch 100 may compriseoff load engine 102A and off load engine 102B. In this embodiment, offload engine 102A may be coupled to one or more co-processors 108A andoff load engine 102B may be coupled to one or more co-processors 108B.In this same embodiment, the off load engine 102A may also be coupled toa ternary content addressable memory (T-CAM) 110A and the off loadengine 102B may also be coupled to another T-CAM 110B. A T-CAM refers toa form of high-speed memory hardwired with low-level computingapplications or programs. The T-CAM may comprise of both volatile andnon-volatile memory. While the most commonly implemented CAMs are knownas binary CAMs. Such components only search for ones and zeros. A T-CAMallows the processor to access a third state, or “X” state. The X statemay be a “mask,” meaning its value may be anything. This additionalcapability is especially useful when used to perform networking,encryption, and deep packet inspection (DPI) operations at rates as highas 40 gigabits per second to 100 gigabits per second. When performingcalculations, bits are first masked and then logical operations areperformed on the rest of the data packet. A network switch may storeentire routing tables in T-CAM for easy lookup. In one embodiment, eachoff load engine embedded in the switch 100 may have one or more T-CAMscoupled to the off load engine. In this same embodiment, one or moreT-CAMs (for example, T-CAM 110C in FIG. 1) may store re-writable orupgradeable microcode that may be used to instruct a switch silicon 112by translating machine instructions into a sequence of circuit-leveloperations.

Both off load engines 102A and 102B may also be coupled to a sharedmemory 104, which, in turn, may be coupled to one or more storagedevices 106. As indicated in FIG. 1, at least one of the storage devices106 may comprise of instructions 107 to control a control plane 120 anda data plane 122 of the switch 100.

Shared memory 104 may be any form of non-volatile random access memory(NVRAM) in combination with a dynamic random access memory (DRAM)embedded in the switch 100. The shared memory 104 may be used totemporarily store data that the one or more off load engines (forexample, off load engines 102A and 102B) and co-processors (for example,co-processors 108A and 108B) are using for an operation.

Both off load engines 102A and 102B may also be coupled to the switchsilicon 112, which may, itself, be coupled to one or more hostprocessors 114. It is understood by one of ordinary skill in the artthat a switch silicon refers to a switch integrated circuit chip capableof routing network traffic. In one embodiment, the switch silicon 112 isany switch chip with at least 64 ports and a minimum aggregate bandwidththroughput of 640 gigabits per second (GBPS). The one or more hostprocessors 114 may be used to operate the switch silicon 112. In oneembodiment, the data plane 122 (also see FIG. 2) may refer to componentsof the switch silicon 112 used to route network traffic through theswitch 100.

Moreover, a near field communication (NFC) chip 124 may be coupled tothe one or more host processors 114 and may be used by a user 200A (seeFIG. 2) to provision the switch 100 through a client device 208A (seeFIG. 2). The NFC chip 124 may be any NFC tag operating on an ISM radioband approved by the NFC Forum and satisfying the requirements ofISO/IEC 18000-3, ISO/IEC 14443, or JIS X 6319-4.

In one or more embodiments, the switch 100 may be the metadata-drivenswitch described in U.S. patent application Ser. No. 13/726,491.

Reference is now made to FIG. 2, which illustrates the switch 100 ofFIG. 1 opening one or more in-band or out-of-band VSCs (for example, VSC242A to VSC 242N) over the SDN, according to one or more embodiments. Itshould be understood by one of ordinary skill in the art of networksecurity that a SDN refers to a network architecture where networktraffic is controlled using software without requiring the networkadministrator to have access to the network's hardware devices. A switchused to manage the SDN (such as switch 100) may decouple the control ofthe network, through a control plane (such as control plane 120) of theswitch, from the switching or forwarding of network traffic, through adata plane (such as data plane 122) of the switch.

In one embodiment, the switch 100 managing an SDN may open one or morein-band VSCs or out-of-band VSCs (for example, VSC 242A to VSC 242N)over the SDN. Once a VSC is established, all data packets transmittedthrough the VSC may be encrypted and decrypted using mutualauthenticated digital signatures. In one embodiment, the in-band andout-of-band VSC (for example, VSC 242A to VSC 242N) may operate on aninternet layer of TCP/IP using an Internet Key Exchange (IKE or IKEv2)protocol and an Internet Protocol Security (IPsec) complying withRequest for Comment (RFC) 6071. In another embodiment, the switch 100may open one or more in-band VSCs or out-of-band VSCs (for example, VSC242A to VSC 242N) over the SDN using a transport layer security (TLS)protocol operating on an upper layer of TCP/IP complying with RFC 6176.

In one embodiment, an in-band VSC may refer to a VSC opened over anin-band network 230. This in-band network 230 may be a wired or awireless network where the wireless network is established over alicensed radio frequency (RF) band. In addition, an out-of-band VSC mayrefer to a VSC opened over an out-of-band network 232. This out-of-bandnetwork 232 may be a wireless network established over an unlicensed RFband (e.g., an ISM radio band). For additional information regardingunlicensed RF bands, please refer to: the InternationalTelecommunication Union Frequently Asked Questions page,http://www.itu.int/ITU-R/terrestrial/faq/index.html; the 3^(rd)Generation Partnership Project (3GPP), http://www.3gpp.org/; and theFederal Communications Commission's Spectrum Topics,http://www.fcc.gov/spectrum and Encyclopedia,http://www.fcc.gov/encyclopedia/radio-spectrum-allocation.

As depicted in FIG. 2, the switch 100 comprises a control plane 120 anda data plane 122. The control plane 120 further comprises a keymanagement database 234, an authentication database 244, and anaccounting database 246. While the VSCs and the network traffic carriedby the VSCs are forwarded through the data plane 122 of the switch, thecontrol plane 120 stores information transmitted through the VSCs andcontrols how network traffic is forwarded through the data plane 122.

In FIG. 2, VSC 242A to VSC 242N may refer to any number of VSCsestablished over the in-band network 230 or the out-of-band network 232.In one or more embodiments, an in-band VSC or an out-of-band VSC may beopened at a resource level, a resource flow level, or a network levelusing a user identity, a client device identity, or a resource identitydistributed through a public key infrastructure (PKI).

In the exemplary embodiment shown in FIG. 2, user 200A may be assigned auser identity 202A by a network administrator. The user identity 202Amay comprise a public key 204A and a private key 206A. The user identity202A may comprise of information known only to the user 200A, such as ausername or password, and may be used by the PKI to create the publickey 204A and the private key 206A. While a public key 204A can be sentthrough the one or more VSCs, the user 200A's private key 206A cannot beshared with anyone other than the user 200A. In FIG. 2, the user 200Auses a client device 208A to access a resource 210A on the client device208A or a resource 236A behind the switch 100. In either case, theclient device 208A may be assigned a client device identity 216Acomprising a public key 218A and a private key 220A. The user identity202A and the client device identity 216A may be stored in a trustedplatform module (TPM) of the client device 208A, which is understood byone with ordinary skill in the art to mean a cryptographic off loadprocessor designed to store cryptographic keys on a network-enableddevice. The client device identity 216A may comprise of informationrelated to a manufacturer of the client device 208A, an operating systemrunning on the client device 208A, a serial number of the client device208A, and/or a memory type installed on the client device 208A used bythe PKI to create the public key 218A and the private key 220A.

In one embodiment, the client devices indicated in FIG. 2 (208A-208N)may refer to a network enabled processing device (e.g., SCADA, ICS,smartphone, mobile phone, tablet computer, laptop, computer, etc.). Inanother embodiment, the client devices indicated in FIG. 2 (208A-208N)may refer to a network enabled apparatus (e.g., a network enabledsecurity camera, network enabled walkie-talkie, network enabledthermostat, etc.). In a further embodiment, the client devices indicatedin FIG. 2 (208A-208N) may refer to an enclave device coupled to anetwork enabled processing device.

Moreover, the resource 210A may also be assigned a resource identity222A comprising a public key 224A and a private key 226A. In thisembodiment, a resource (such as resource 210A) may refer to a set ofdata, an application, or access to a network such as a wide area network(WAN) (e.g., the Internet) or an enterprise network or intranet. Whileresource 210A may be stored in a memory of the client device 208A, theresource 210A may also be an application layer or presentation layer ofa resource residing on an application server behind the switch 100. Forexample, resource 236A may be ultimately accessed by the user 200A whenthe user 200A inputs commands into the presentation layer of theresource (such as resource 210A).

As depicted in FIG. 2, VSC 242A may be an in-band VSC opened at anetwork level from the client device 208A through the in-band network230 and ending at the resource 236A. In this embodiment, the VSC 242Amay carry network traffic for various applications on the client device208A (e.g., email traffic, web browsing traffic, VOIP traffic, etc.). Inanother embodiment, the VSC 242N may be an out-of-band VSC opened at aresource level from resource 210N on client device 208N through theout-of-band network 232 to resource 236N. The VSC 242N may carry networktraffic exclusively for the resource 210N (e.g., enterprise applicationtraffic). Network traffic through all such VSCs, including VSC 242A andVSC 242N, may be forwarded or directed through the data plane 122 of theswitch 100. In another embodiment, the VSC may carry traffic at aresource flow level when the resource requires communication withmultiple destinations, such as a web browser.

In one embodiment, the VSC 242A may be opened for a pre-determinedperiod of time. In another embodiment, the VSC 242A may be opened for aslong as a resource is being used by the user 200A. In a furtherembodiment, the VSC 242A may close as soon as a malicious agent isdetected on the SDN, or as soon as a transaction is completed tomitigate risk from a malicious agent

Also depicted in FIG. 2 is the switch 100's control plane 120 comprisingthe key management database 234, the authentication database 244, andthe accounting database 246. In one embodiment, the key managementdatabase 234 may include a lightweight directory access protocol (LDAP)database storing information related to a user identity, a client deviceidentity, or a resource identity. The key management database 234 mayshare information with the authentication database 244 and theaccounting database 246.

In addition to the aforementioned users, client devices, and resources,it should be understood by one of ordinary skill in the art of networksecurity that the switch 100 may accommodate any number of users(ranging from user 200A to user 200N), client devices (ranging fromclient device 208A to client device 208N), and resources (ranging fromresource 210A to resource 210N) up to the switching capacity of the dataplane 122 of the switch 100. It should also be understood by one ofordinary skill in the art that the switch 100 may be connected to otherswitches on the SDN to form a switch system that may extend the switchcapability of the data plane 122.

Reference is now made to FIG. 3, which illustrates a columnar processflow diagram of the user 200A gaining access to a resource (such asresource 236A) through the switch 100 of FIG. 1, according to one ormore embodiments. As depicted in FIG. 3, operation 300 involves the user200A requesting access to the resource. This may involve the user 200Atapping on a display screen of a client device used by the user 200A(such as client device 208A). The display screen may display a userinterface of an application (such as one of the applications 214A)stored in the device 208A. In one embodiment, the application may be thepresentation layer of one of the applications 240A resident on anapplication server communicatively coupled to the switch 100.

In response to the request of the user 200A, operation 302 involves theswitch 100 opening an in-band VSC or an out-of-band VSC to the clientdevice 208A over the SDN. In this case, the VSC may be opened at aresource level, a resource flow level, and/or a network level for thesole purpose of authenticating and authorizing the user as required bythe resource. As indicated in FIG. 2, opening a VSC at a resource level(such as for one specific software application) may involve transmittingall data packets relating to the resource from the client device 208A tothe switch 100 or an application server coupled to the switch (and viceversa). Once the in-band or out-of-band VSC has been opened, operation304 may involve the switch 100 prompting the user to input a set ofcredentials into the client device 208A. The set of credentials mayinclude a biometric data received from the user 200A (wherein thebiometric data may be obtained from a biometric reader coupled to theclient device 208A), a user name and password, and/or a patternrecognition data received from the user 200A (wherein the patternrecognition data may be obtained from a pattern recognition reader—suchas a QR code reader, a gesture reader, or a bar code reader—coupled tothe client device 208A).

In response to the credentials entered by the user 200A, operation 306may then involve the switch 100 authenticating the user 200A through theVSC opened (for example, VSC 242A). In this operation, the switch 100may authenticate the user 200A trying to access the resource bycomparing a user identity (such as user identity 202A) against a storedidentity in the authentication database 244 of the control plane 120 ofthe switch 100. The stored identity may be a user identity entered intothe authentication database 244 by a network administrator or may be auser identity stored in the authentication database 244 after a previoustransaction to create, modify, or validate a user authentication data.In one embodiment, operation 304 may be considered a sub-operation of306 and the authentication mechanism may be implemented through amulti-factor authentication procedure. In one embodiment, this proceduremay comprise the user 200A having to enter two or more credentials (forexample, a biometric entry and a user name/password) into the clientdevice 208A before the switch 100 authenticates the user 200A. Operation306 may also involve additional sub-operations which are illustrated infurther detail in FIG. 4. The VSC may then be immediately closed oncethe authentication is complete.

Once authenticated, operation 308 may involve the client device 208Asending a configuration data or a configuration setting through an NFCchip embedded in the client device 208A. Operation 310 may involve theswitch 100 receiving a configuration data from the client device 208Athrough an NFC chip (such as NFC chip 124) embedded in the switch 100.Operations 308 and 310 allow the user 200A to provision the switch 100by simply holding the client device 208A close to the switch 100.

Operation 312 may involve the client device 208A independentlygenerating an encrypted software token (EST). At the same time that theclient device 208A is generating the EST, the switch 100 may alsogenerate a one-time EST in operation 316. Operation 314 may involve theclient device 208A sending a hash of the independently generated EST tothe switch 100 through the VSC 242A. In operation 318, programs in thecontrol plane 120 of the switch 100 may then analyze and compare thehash of the independently generated EST received from the client device208A against the one-time EST generated by the switch 100.

Operation 320 may involve the switch 100 granting the user 200A accessto the resource based on a result of the comparison. Furthermore,operation 322 may involve the control plane 120 of the switch 100accounting, in near real time, for a transaction conducted by the user200A accessing the resource. Finally, operation 324 involves the switch100 accepting the configuration data received through the NFC chip 124.Operation 326 involves the switch 100 issuing a health data through theclient device 208A (or another processing device) or through a displayinterface on the switch 100.

In one or more embodiments, the user 200A may refer to a human useraccessing a resource on the client device 208A. In other embodiments,the user 200A may refer to another client device used by a human user toaccess the client device 208A. For example, the user 200A may be a humanuser's home computer used by the human user to access a work laptop(which may be client device 208A in this case), which may, in turn, beinstructed by the home computer to open an enterprise application on thework laptop to retrieve a resource behind the switch 100. The user 200A,in this case, would be the home computer rather than the human user.

Reference is now made to FIG. 4, which illustrates a flowchart ofdetailed steps to authenticate the user 200A through the switch 100 ofFIG. 1, according to one or more embodiments. In particular, FIG. 4depicts an in depth embodiment of operation 306 of FIG. 3. Operation 400involves the switch 100 receiving a hash of the credentials of the user200A from the client device 208A. In operation 402, the control plane120 of the switch 100 may then record a near real-time location of theclient device 208A (as provided by a GPS locator of the client device208A) and a near real-time IP address of the client device 208A.Additionally, the switch may then begin to record a user behavior of theuser 200A and a list of all resources accessed by the user 200A usingthe client device 208A.

In operation 404, the switch 100 may query whether the hash of thecredentials received from the user 200A is valid. If the answer to thisquery is yes, the switch 100 may then proceed to operation 406. If theanswer to the query is no, the switch 100 may then deny the user 200Aaccess to the resource (e.g., resource 236A) by closing the VSC. Inoperation 406, the switch 100 may be prompted to check theauthentication policy which may contain specific rules such as a user'srole, a time-of-day, or other relevant policy data. Moreover, inoperation 408, the switch 100 may be prompted to also check the accesspolicy concerning the resource in question. In operation 410, the switch100 may obtain a set of stored encrypted credentials for the resourceand transmit the credentials to the resource. This may comprise a legacyusername and password specifically for that given resource (and only forthat given resource), permitting the switch 100 to enable single sign on(SSO) and a common credentialing system, regardless of the number ofdisparate resources. Finally, in operation 412, the resource (forexample resource 236A) may decide whether the credentials for theresource are valid before authenticating the user 200A. If the resource236A determines that the credentials for the resource are not valid, theresource 236A may deny the user 200A access to the resource.

As indicated above, in one embodiment, the resource 236A may reside onan application server communicatively coupled to the switch 100 or theresource 236A may reside on the switch 100 itself. Moreover, theresource 236A may have a presentation layer residing on the clientdevice 208A (for example, resource 210A) used by the user 200A to accessthe resource behind the switch.

Reference is now made to FIG. 5, which illustrates an authorization ofthe user 200A, previously authenticated as described in FIG. 4, throughthe switch 100 of FIG. 1, according to one or more embodiments. In oneembodiment depicted in FIG. 5, the switch 100 may authorize the user200A's access to a resource (for example, resource 236A) over anout-of-band VSC (for example, VSC 242A). The control plane 120 of theswitch 100 may generate a one-time EST 500 based on a key agreementtechnique and also using information from the user identity 202A, theclient device identity 216A, and/or the resource identity 222A. The useridentity 202A, the client device identity 216A, and the resourceidentity 222A may be received from the client device 208A when the VSCwas first opened. Once the one-time EST 500 has been generated, theone-time EST 500 may be stored in the key management database 234 of thecontrol plane 120 of the switch 100. The one-time EST 500 may then besent to a hash comparison engine 406 on the control plane 120 of theswitch 100.

Also depicted in FIG. 5 is a client device (shown in FIG. 5 as clientdevice 208A) independently generating an EST based on the user identity202A, the client device identity 216A, and/or the resource identity 222Aof the user 200A, the client device 208A and/or the resource 236Aaccessed, respectively. The independently generated EST 502 may then beconverted to a hash of the independent generated EST 504 through ahashing algorithm such as Secure Hash Algorithm (SHA)-256 (according toU.S. Federal Information Processing Standard (FIPS) 180-4). The hash ofthe independently generated EST 504 may be transmitted to the switch 100through the VSC 242A. The hash comparison engine 406 may analyze andcompare the hash of the independently generated EST 504 received fromthe client device 208A of the user 200A against the one-time EST 500stored in the key management database 234. The data plane 122 of theswitch 100 may then grant the user 200A of the client device 208A accessto the resource 236A through the VSC 242A. In one embodiment, theresource 236A may comprise of an application residing on an applicationserver communicatively coupled to the switch 100.

Reference is now made to FIG. 6, which illustrates the switch 100 ofFIG. 1 accounting for a transaction conducted by a user through theaccounting database 246, according to one or more embodiments. In oneembodiment, the switch 100 may store certain historical and nearreal-time information regarding a user (for example, user 200A), aclient device (for example, client device 208A), a resource (forexample, resource 210A), an in-band VSC (for example, VSC 242A), or anout-of-band VSC (for example, VSC 242B). The accounting database 246 mayreside in one or more of the storage devices 106 and information fromthe accounting database 246 may be called upon by the control plane 120of the switch 100.

As indicated in FIG. 6, the accounting database 246 may comprise ahistorical information related to the user 600, a near real-timeinformation related to the user 602, a historical information related tothe client device 604, a near real-time information related to theclient device 606, a historical information related to the resource 608,a near real-time information related to the resource 610, a historicalinformation related to the in-band VSC 612, a near real-time informationrelated to the in-band VSC 614, a historical information related to theout-of-band VSC 616, and a near real-time information related to theout-of-band VSC 618. Historical information may be presented as a reportby the resource, by the user, or by the client device on an hourly,daily, weekly, monthly, or annual basis.

An accounting application 708 (see FIG. 7) may also account forinformation regarding a flow, a VSC, a device, and/or a resource. Inthis embodiment, a flow information may comprise data packets from auser, a device, an application, a tenant, and/or a VLAN identifier.Additionally, the accounting application 708 may account for a 5 tuple(src IP, dst IP, src Port, dst Port, and/or protocol identifiers)information regarding network address translation (NAT) addresses, aflow state, a sequence number, a bandwidth low watermark, a bandwidthhigh watermark, a bandwidth current, a flow uptime, an L4 applicationprotocol, and/or an L7 application protocol. Additionally, theaccounting application 708 may account for information regarding a VSCsuch as the user identity, the device identity, the resource identityused to open the VSC, and the type of VSC opened (whether in-band orout-of-band). Furthermore, the accounting application 708 may accountfor the processes, applications, and data accessed by a client deviceand the configuration of the client device, including a manufacturerinformation, an operating system and applications installed on theclient device, a serial number of the client device, the type of memoryon the client device, and the version of the client device. By trackingthis level of data, it enables a near real time security incidenthandling process where a network administrator can manage and monitorall traffic per user, per device, and/or per resource.

Once the user 200A has been authenticated and authorized according tothe methods described above and the transaction conducted by the user200A has been accounted for in the accounting database 246, the switch100 can ensure a non-repudiation of the transaction to a third-party.

Reference is now made to FIG. 7, which illustrates operations performedby the control plane 120 and the data plane 122 of the switch 100 ofFIG. 1, according to one or more embodiments. FIG. 7 shows the dataplane 122 having a packet sampling control and switch control 700 block.For purposes of this section, a data packet may refer to informationrelating to a resource accessed by the user of a client device or theactual resource itself. In one or more embodiments, the packet samplingcontrol and switch control 700 block may be a set of instructions storedin one of the T-CAMs of the switch 100 (for example, T-CAM 110A or T-CAM100B). The packet sampling control and switch control 700 may receiveone or more command packets 702 from the control plane 120 instructingthe data plane 122 to forward network traffic a certain way to maintainconfidentiality, integrity, and availability of the network, theresources, and/or the client devices. The packet sampling control andswitch control 700 block may also receive data packets 706 through oneor more of the VSCs (for example, VSC 242A as shown in FIG. 7) or datapackets 704 not sent through a VSC. For all such packets (includingcommands packets 702, data packets 704, and data packets 706), thepacket sampling control and switch control 700 block will forward thepackets to an accounting application 708 to store the information in theaccounting database 246 (see FIG. 6). In one embodiment, the data plane122 may identify a true source and intended destination of the datapacket through operation 710. However, the data packets 704 not sentthrough a VSC may be dropped at this point.

Once the data packets have been accounted for through the accountingapplication 708, operation 712 involves the data plane 122 queryingwhether the data packet is a command from a remote switchcommunicatively coupled to the SDN managed by the switch 100. If theanswer to this query is yes then the packet may be sent to the controlplane and the true source of the data packet may be examined. If theanswer to this query is no then the data packet is sent to adeep-packet-inspection (DPI) application 714. In one embodiment, the DPIapplication 714 is a set of instructions stored in one or more storagedevices 106 of the switch 100. In another embodiment, the DPIapplication 714 is a set of instructions stored in a T-CAM (either T-CAM110A or T-CAM 110B) of the switch 100.

The DPI application 714 may first query the data packets throughoperation 716 that asks whether a key logger was associated with thedata packet examined. If the answer to this query is yes, the datapacket may be forward to the control plane 120 as part of a set ofsampled packet feedback 730. If the answer to this query is no, thenoperation 718 may query whether malicious traffic patterns or maliciousbehavior was detected from the manner in which the data packet wastransmitted through the VSC. Similar to the above, if the answer to thisquery is yes, the data packet may be forward to the control plane 120 aspart of the set of sampled packet feedback 730. If the answer to thisquery is no, operation 720 may query whether abnormal user behavior wasdetected when the user requested access to the resource. Such a querymay further involve analyzing the location of the client device when therequest was made, the time-of-day that the request was made, and/or thetype of resource accessed at the aforementioned location andtime-of-day. If the answer to this query is yes, the data packet may beforwarded to the control plane 120 as part of the set of sampled packetfeedback 730. If the answer to this query is no, then operation 722 mayquery the data packet to see if the data packet should be sent to ahoneypot. In one embodiment, the honeypot may be a database used tosequester and quarantine the data packet for further analysis. If theanswer to this query is yes, then the data packet would be sent to thehoney and a portion of the packet would be sent back to the controlplane 120 as part of the set of sampled packet feedback 730.

Finally, if the answer to this query is no, the DPI application 714 maythen route the data packet to its intended destination 726 or drop thedata packet through a delete program (indicated as a trash can 728 inFIG. 7). In any case, a portion of the data packet to be dropped wouldbe routed to the control plane 120 as part of the sampled packetfeedback 730. After receiving such sampled packet feedback 730 from thedata plane, the control plane 120 may instruct the data plane 122 tochange the routing pattern or behavior of the switch to take intoaccount this new information. Such information provides the controlplane 120 with a snapshot of the health of the SDN managed by the switch100.

Reference is now made to FIG. 8, which illustrates verification checksand updates being transmitted through the data plane of the switch ofFIG. 1, according to one or more embodiments. These checks and updatesare made to maintain the integrity of the client devices, the integrityof the resources, and the integrity of the network itself under constantthreat from agents. Automatic updates will be pushed should theintegrity be compromised. In one embodiment, a resource 210A of theclient device 208A may comprise of one or more applications 214A, an OS800, and/or an OS kernel 802. As depicted in FIG. 8, the data plane 122of the switch 100 may check the one or more applications 214A against averified version of the applications 214A presented in an applicationand application reputation store 804. In one embodiment, the applicationand application reputation store 804 may be a third party applicationstore offered by a third party software developer. In anotherembodiment, the application and application reputation store 804 may bea program resident on the one or more storage devices 106 executable bythe one or more off load engines of the switch 100. The data plane 122of the switch 100 may perform this checking through the VSC 242A. In oneembodiment, the VSC 242A may be an in-band VSC; in another embodiment,the VSC 242A may be an out-of-band VSC.

In addition, the one or more applications 214A may also receive asoftware update from the application and application reputation store804 through the VSC 242B. The control plane 120 (not shown in FIG. 8) ofthe switch 100 may determine that the one or more applications 214A isin need of an update and may instruct the data plane 122 of the switch100 to open the VSC 242B to query the application and applicationreputation store 804 for an update. In one embodiment, the VSC 242B maybe an in-band VSC; in another embodiment, the VSC 242B may be anout-of-band VSC.

Similarly, the data plane 122 of the switch 100 may check the OS 800 andthe OS kernel 802 against their respective verified versions, throughone or more VSCs. As depicted in FIG. 8, the OS 800 of the client device208A may be checked against a verified version of the OS provided by anOS developer 806. This checking may be performed through the VSC 242C.In one embodiment, the VSC 242C may be an in-band VSC; in anotherembodiment, the VSC 242C may be an out-of-band VSC. Additionally, the OSkernel 802 of the client device 208A may be verified through the VSC242N using a verified version of the OS kernel 802 provided by the OSdeveloper 806. In one embodiment, the VSC 242N may be an in-band VSC; inanother embodiment, the VSC 242N may be an out-of-band VSC.

Reference is now made to FIG. 9, which illustrates the switch 100 ofFIG. 1 separating traffic in a multitenant network, according to one ormore embodiments. In this embodiment all VSCs are managed by the controlpanel 120 of the switch 100 (see FIG. 2). As shown in FIG. 9, VSCs 242Aand 242B (depicted as large cylinders in FIG. 9) and virtual network900N are used to deliver resource level traffic flows. Such resourcelevel traffic flows include web traffic 902, command traffic 904,voice-over-internet (VOIP) traffic 906, corporate application traffic908, personal email traffic 910, streaming video traffic 912, andcorporate email traffic 914. In one example embodiment shown in FIG. 9,web traffic 902, command traffic 904, and VOIP traffic 906 may bedelivered over VSC 242A. Command traffic 904 may refer to a set ofcommands received from a remote switch in the form of data packets. Asindicated in FIG. 9, web traffic 902 and command traffic 904 may furtherbe segregated into a virtual network 900A. It should be understood byone of ordinary skill in the art of networking that virtual networks900A to 900N may refer to virtual local area networks (VLANs). In oneembodiment, a VLAN is created by tagging data packets transmittedthrough a VSC with one or more VLAN identifiers. For more information onthe creation of VLANs and virtual networking standards, please refer tothe IEEE 802.1 Working Group's discussion on the topic,http://www.ieee802.org/1/.

The third stream of traffic, VOIP traffic 906, delivered through the VSC242A may be delivered through another virtual network (shown as virtualnetwork 900B in FIG. 9) along with the corporate application traffic 908delivered through VSC 242B. Thus, it is possible for the control plane120 of the switch 100 to segregate streams of network traffic fromdifferent VSCs into the same virtual network. Moreover, in analternative embodiment not shown in FIG. 9, all three streams of traffic(for example, web traffic 902, command traffic 904, and VOIP traffic906) may be delivered through one VSC established over one—and onlyone—virtual network. Also depicted in FIG. 9 is a second stream ofnetwork traffic (shown in FIG. 9 as corporate application traffic 908)delivered over VSC 242B and further segregated into virtual network900C.

In an alternative embodiment shown at the bottom of FIG. 9, one or moreVSCs (for example, VSC 242C to VSC 242N) may be established over avirtual network 900N (shown in FIG. 9 as a dotted cylinder). In thisembodiment, the network traffic flow is still delivered through the VSCbut several VSCs are now aggregated into one virtual network 900N. Forexample, streaming video traffic 912 may be delivered through the VSC242N and corporate email traffic 914 may be delivered through the VSC242C. A determination of whether the former network arrangement (virtualnetworks or VLANs established over VSCs) or the latter networkarrangement (VSCs established over virtual networks or VLANs) is usedmay be made by a network administrator.

Furthermore, the various network arrangements depicted in FIG. 9 may beimplemented by one tenant (for example, tenant 916A) or by multipletenants as defined by one or more cloud networking standards. A tenant916B may implement a different network arrangement on the samemultitenant network. Different network arrangements may be implementedby multiple tenants (e.g., tenant 916A, tenant 916B, tenant 916N, etc.).

Additionally, the switch 100 may enable and support a quality-of-service(QoS) mechanism on one or more of the VSCs by applying one or morevirtual secure network processor algorithms to a data packet to providea circuit switched packet data functionality at an L2 or L3 networkinglayer.

A number of embodiments have been described. Nevertheless, it will beunderstood that various modifications may be made without departing fromthe spirit and scope of the claimed invention. In addition, the logicflows depicted in the figures do not require the particular order shown,or sequential order, to achieve desirable results. In addition, othersteps may be provided, or steps may be eliminated, from the describedflows, and other components may be added to, or removed from, thedescribed systems. Accordingly, other embodiments are within the scopeof the following claims.

It may be appreciated that the various systems, methods, and apparatusdisclosed herein may be embodied in a machine-readable medium and/or amachine accessible medium compatible with a data processing system(e.g., a computer system), and/or may be performed in any order.

The structures and modules in the figures may be shown as distinct andcommunicating with only a few specific structures and not others. Thestructures may be merged with each other, may perform overlappingfunctions, and may communicate with other structures not shown to beconnected in the figures. Accordingly, the specification and/or drawingsmay be regarded in an illustrative rather than a restrictive sense.

The process flows and flow diagrams depicted in the figures do notrequire the particular order shown, or sequential order, to achievedesirable results. In addition, others may be provided, or steps may beeliminated from the described flows, and other components may be addedto or removed from the depictions.

What is claimed is:
 1. A machine-implemented method, comprising: openingat least one of an in-band channel or an out-of-band channel over anetwork; authenticating, through a control plane of a switch managingthe network, a user of a resource over at least one of the in-bandchannel or the out-of-band channel; authorizing the user, through thecontrol plane, access to the resource over at least one of the in-bandchannel or the out-of-band channel; and accounting for a transactionconducted by the user accessing the resource, through the control plane,over at least one of the in-band channel or the out-of-band channel. 2.The method of claim 1, wherein at least one of the in-band channel andthe out-of-band channel is opened at one of a resource level, a resourceflow level, and a network level using at least one of a user identity, aclient device identity, and a resource identity distributed through apublic key infrastructure.
 3. The method of claim 1, further comprising:receiving a configuration data from a client device of the user, througha near field communication (NFC) chip embedded in the switch, andissuing a health data of the switch to the client device through the NFCchip.
 4. The method of claim 1, further comprising: authenticating theuser of the resource by comparing a user identity against a storedidentity in an authentication database of the control plane, wherein theuser identity is received through at least one of the in-band channeland the out-of-band channel.
 5. The method of claim 1, furthercomprising: authorizing the user access to the resource by: generating,through the control plane, a one-time encrypted software token (EST) forthe user based on a key agreement technique and at least one of a useridentity, a client device identity, and a resource identity, storing theone-time EST generated in a key management database of the controlplane, analyzing and comparing, through a hash comparison engine of thecontrol plane, a hash of an independently generated EST received fromthe client device of the user against the one-time EST stored in the keymanagement database, and granting the user access to the resourcethrough at least one of the in-band channel and the out-of-band channelbased on a result of the comparison.
 6. The method of claim 1, furthercomprising: accounting for a transaction conducted by the user accessingthe resource in near real-time by storing a historical and a nearreal-time information related to at least one of the user, a clientdevice used by the user, the resource, the transaction, the in-bandchannel, and the out-of-band channel in an accounting database of thecontrol plane.
 7. The method of claim 6, further comprising: accountingfor the transaction conducted by the user by: performing, through a dataplane of the switch managing the network, a deep-packet-inspection (DPI)of a data packet transmitted through at least one of the in-band channeland the out-of-band channel, and filtering out, through the data planeof the switch managing the network, a data packet not transmittedthrough at least one of the in-band channel and the out-of-band channel.8. The method of claim 6, further comprising: accounting for thetransaction conducted by the user by: identifying, through a data planeof the switch managing the network, a true source and a destination of amalicious data packet transmitted through at least one of the in-bandchannel and the out-of-band channel, and redirecting and duplicating,through the data plane of the switch managing the network, in near-realtime the malicious data packet for further analysis.
 9. The method ofclaim 6, further comprising: accounting for the transaction conducted bythe user by: checking, through a data plane of the switch managing thenetwork, an application on the client device of the user against averified version of the application presented in a third-partyapplication and application reputation store through at least one of thein-band channel and the out-of-band channel; and checking, through thedata plane of the switch, an operating system and an operating systemkernel on the client device of the user against a verified version ofthe operating system and the operating system kernel through at leastone of the in-band channel and the out-of-band channel.
 10. The methodof claim 6, further comprising: accounting for the transaction conductedby the user by: issuing through a data plane of the switch managing thenetwork, an update for at least one of the application, the operatingsystem, and the operating system kernel through at least one of thein-band channel and the out-of-band channel.
 11. A switch, comprising:one or more off load engines, host processors, and co-processorsembedded in a switch to manage a network; one or more near fieldcommunication (NFC) chips communicatively coupled to the one or morehost processors; one or more storage devices and memory devicescommunicatively coupled to the one or more off load engines, hostprocessors, and co-processors; and one or more programs, wherein the oneor more programs are stored in the one or more storage devices andmemory devices and executable by the one or more off load engines, hostprocessors, and co-processors, with the one or more programs comprising:instructions to open at least one of an in-band channel or anout-of-band channel over the network, instructions to authenticate,through the control plane of the switch, a user of a resource over atleast one of the in-band channel or the out-of-band channel,instructions to authorize the user, through the control plane, access tothe resource over at least one of the in-band channel or the out-of-bandchannel, and instructions to account, for a transaction conducted by theuser using the resource, through the control plane, over at least one ofthe in-band channel or the out-of-band channel.
 12. The switch of claim11, wherein at least one of the in-band channel and the out-of-bandchannel is opened at one of a resource level, a resource flow level, anda network level using at least one of a user identity, a client deviceidentity, and a resource identity distributed through a public keyinfrastructure.
 13. The switch of claim 11, further comprising:instructions to receive a configuration data from a client device of theuser, through the one or more NFC chips embedded in the switch, andissue a health data of the switch to the client device through the oneor more NFC chips.
 14. The switch of claim 11, further comprising:instructions to authenticate the user of the resource by comparing auser identity against a stored identity in an authentication database ofthe control plane, wherein the user identity is received through atleast one of the in-band channel and the out-of-band channel.
 15. Theswitch of claim 11, further comprising: instructions to authorize theuser access to the resource with further instructions to: generate,through the control plane, a one-time encrypted software token (EST) forthe user based on a key agreement technique and at least one of a useridentity, a client device identity, and a resource identity, store theone-time EST generated in a key management database of the controlplane, analyze and compare, through a hash comparison engine of thecontrol plane, a hash of an independently generated EST received fromthe client device of the user against the one-time EST stored in the keymanagement database, and grant the user access to the resource throughat least one of the in-band channel and the out-of-band channel based ona result of the comparison.
 16. The switch of claim 11, furthercomprising: instructions to account for a transaction conducted by theuser accessing the resource in near real-time by storing a historicaland a near real-time information related to at least one of the user, aclient device used by the user, the resource, the transaction, thein-band channel, and the out-of-band channel in an accounting databaseof the control plane.
 17. The switch of claim 16, further comprising:instructions to account for the transaction conducted by the user withfurther instructions to: perform, through a data plane of the switch, adeep-packet-inspection (DPI) of a data packet transmitted through atleast one of the in-band channel and the out-of-band channel, and filterout, through the data plane of the switch, a data packet not transmittedthrough at least one of the in-band channel and the out-of-band channel.18. The switch of claim 16, further comprising: instructions to accountfor the transaction conducted by the user with further instructions to:identify, through a data plane of the switch, a true source and adestination of a malicious data packet transmitted through at least oneof the in-band channel and the out-of-band channel, and redirect andduplicate, through the data plane of the switch, in near-real time themalicious data packet for further analysis.
 19. The switch of claim 16,further comprising: instructions to account for the transactionconducted by the user with further instructions to: check, through adata plane of the switch, an application on the client device of theuser against a verified version of the application presented in athird-party application and application reputation store through atleast one of the in-band channel and the out-of-band channel, and check,through a data plane of the switch, an operating system and an operatingsystem kernel on the client device of the user against a verifiedversion of the operating system and the operating system kernel throughat least one of the in-band channel and the out-of-band channel.
 20. Theswitch of claim 16, further comprising: instructions to account for thetransaction conducted by the user with further instructions to: issue,through a data plane of the switch, an update for at least one of theapplication, the operating system, and the operating system kernelthrough at least one of the in-band channel and the out-of-band channel.